From 5394fee3db3662c9c416e6a3ac187d4ddc57bf88 Mon Sep 17 00:00:00 2001 From: Anton Date: Fri, 21 Jul 2023 11:48:19 +0200 Subject: [PATCH] Fix escape issues [SCI-8912] --- app/controllers/user_my_modules_controller.rb | 2 +- app/views/shared/smart_annotation/_experiment_items.html.erb | 4 ++-- app/views/shared/smart_annotation/_my_module_items.html.erb | 4 ++-- app/views/shared/smart_annotation/_project_items.html.erb | 4 ++-- app/views/shared/smart_annotation/_repository_items.html.erb | 4 ++-- app/views/shared/smart_annotation/_users.html.erb | 4 ++-- 6 files changed, 11 insertions(+), 11 deletions(-) diff --git a/app/controllers/user_my_modules_controller.rb b/app/controllers/user_my_modules_controller.rb index 1e2302ad8..05fc01a42 100644 --- a/app/controllers/user_my_modules_controller.rb +++ b/app/controllers/user_my_modules_controller.rb @@ -54,7 +54,7 @@ class UserMyModulesController < ApplicationController render json: { user: { id: @um.user.id, - full_name: @um.user.full_name, + full_name: escape_input(@um.user.full_name), avatar_url: avatar_path(@um.user, :icon_small), user_module_id: @um.id } diff --git a/app/views/shared/smart_annotation/_experiment_items.html.erb b/app/views/shared/smart_annotation/_experiment_items.html.erb index 891b8b3d7..df987a447 100644 --- a/app/views/shared/smart_annotation/_experiment_items.html.erb +++ b/app/views/shared/smart_annotation/_experiment_items.html.erb @@ -7,10 +7,10 @@
<% experiment_group[:experiments].each do |experiment| %> -
  • +
  • <%= experiment.code %> · - <%= experiment.name %> + <%= sanitize_input(experiment.name) %> <%= render partial: 'shared/smart_annotation/atwho_control_buttons' %>
    • <% end %> diff --git a/app/views/shared/smart_annotation/_my_module_items.html.erb b/app/views/shared/smart_annotation/_my_module_items.html.erb index 2c705c550..6e2c72338 100644 --- a/app/views/shared/smart_annotation/_my_module_items.html.erb +++ b/app/views/shared/smart_annotation/_my_module_items.html.erb @@ -9,10 +9,10 @@
    <% task_group[:tasks].each do |task| %> -
  • +
  • <%= task.code %> · - <%= task.name %> + <%= sanitize_input(task.name) %> <%= render partial: 'shared/smart_annotation/atwho_control_buttons' %>
    • <% end %> diff --git a/app/views/shared/smart_annotation/_project_items.html.erb b/app/views/shared/smart_annotation/_project_items.html.erb index bbfe46f3a..919c1ed04 100644 --- a/app/views/shared/smart_annotation/_project_items.html.erb +++ b/app/views/shared/smart_annotation/_project_items.html.erb @@ -1,10 +1,10 @@ <% limit_reached = projects.length == Constants::ATWHO_SEARCH_LIMIT + 1 %>
    <% projects.limit(Constants::ATWHO_SEARCH_LIMIT).each do |project| %> -
  • +
  • <%= project.code %> · - <%= project.name %> + <%= sanitize_input(project.name) %> <%= render partial: 'shared/smart_annotation/atwho_control_buttons' %>
    • <% end %> diff --git a/app/views/shared/smart_annotation/_repository_items.html.erb b/app/views/shared/smart_annotation/_repository_items.html.erb index 87cabd85f..0b453ee24 100644 --- a/app/views/shared/smart_annotation/_repository_items.html.erb +++ b/app/views/shared/smart_annotation/_repository_items.html.erb @@ -1,10 +1,10 @@ <% limit_reached = repository_rows.length == Constants::ATWHO_SEARCH_LIMIT + 1 %>
    <% repository_rows.take(Constants::ATWHO_SEARCH_LIMIT).each do |row| %> -
  • +
  • <%= row[:code] %> · - <%= row[:name] %> + <%= sanitize_input(row[:name]) %> <%= render partial: 'shared/smart_annotation/atwho_control_buttons', locals: { row: row, repository: repository } %>
    • <% end %> diff --git a/app/views/shared/smart_annotation/_users.html.erb b/app/views/shared/smart_annotation/_users.html.erb index 8e2c2c8a4..ce01f9e93 100644 --- a/app/views/shared/smart_annotation/_users.html.erb +++ b/app/views/shared/smart_annotation/_users.html.erb @@ -5,10 +5,10 @@
    <% users.limit(Constants::ATWHO_SEARCH_LIMIT).each do |user| %> -
  • +